U.S. patent number 8,220,041 [Application Number 12/045,949] was granted by the patent office on 2012-07-10 for method and system for protecting a computer system during boot operation.
This patent grant is currently assigned to Trend Micro Incorporated. Invention is credited to Kevin Gerard Boyce.
United States Patent |
8,220,041 |
Boyce |
July 10, 2012 |
**Please see images for:
( Certificate of Correction ) ** |
Method and system for protecting a computer system during boot
operation
Abstract
A method for protecting a computer system from malicious network
traffic is provided using a driver which inspects network packets.
A security profile comprising packet inspection rules is compiled
and stored on the computer system. During the startup or boot
operation of an operating system, the driver loads the compiled
security profile and inspects network packets using the inspection
rules.
Inventors: |
Boyce; Kevin Gerard (Chelsea,
CA) |
Assignee: |
Trend Micro Incorporated
(Tokyo, JP)
|
Family
ID: |
40751151 |
Appl.
No.: |
12/045,949 |
Filed: |
March 11, 2008 |
Prior Publication Data
|
|
|
|
Document
Identifier |
Publication Date |
|
US 20090158419 A1 |
Jun 18, 2009 |
|
Related U.S. Patent Documents
|
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
Issue Date |
|
|
61013491 |
Dec 13, 2007 |
|
|
|
|
Current U.S.
Class: |
726/13;
713/2 |
Current CPC
Class: |
G06F
21/51 (20130101); G06F 21/575 (20130101) |
Current International
Class: |
G06F
7/04 (20060101); G06F 9/00 (20060101) |
Field of
Search: |
;726/13 ;713/2 |
References Cited
[Referenced By]
U.S. Patent Documents
Primary Examiner: Gergiso; Techane
Attorney, Agent or Firm: IP-MEX Inc. Donnelly; Victoria
Parent Case Text
RELATED APPLICATIONS
The present invention claims priority from the U.S. provisional
application to BOYCE, Kevin, Ser. No. 61/013,491 filed on Dec. 13,
2007 entitled "Network Protection During Boot Operation", which is
incorporated herein by reference.
Claims
What is claimed is:
1. A method for protecting a computer system in a computer network
during boot operation of an operating system of the computer
system, the method comprising: (1) compiling a security profile of
the computer system into a compiled security profile for inspecting
packets transmitted to or from the computer system; (2) storing the
compiled security profile to a non-transitory computer readable
persistent storage medium accessible to a network driver of the
operating system during an early stage of the boot operation of the
operating system when kernel mode services are available and before
user mode services are initialized; and (3) by the network driver
of the operating system, loading the compiled security profile from
the non-transitory computer readable persistent storage medium into
a memory of the computer system during the early stage of the boot
operation of the operating system for inspecting packets
transmitted to or from the computer system via the computer network
based on the compiled security profile during the early stage of
the boot operation of the operating system.
2. The method of claim 1, wherein the compiled security profile
comprises one or more packet inspection rules for analyzing
structure of the transmitted packets.
3. The method of claim 2, further comprising: (4) by the network
driver, inspecting packets transmitted to and from the computer
system during the early stage of the boot operation by using the
one or more inspection rules, including analyzing structure of the
transmitted packets.
4. The method of claim 2 wherein the one or more packet inspection
rules comprises rule data which applies to one or more network
interfaces of the computer system.
5. The method of claim 2 wherein the one or more packet inspection
rules comprises rule data which applies to one or more network
addresses of the computer network.
6. The method of claim 1, wherein the step (1) comprises compiling
the security profile into the compiled security profile, which is a
binary format.
7. The method of claim 6, wherein the step of compiling the
security profile into the binary format comprises compiling the
security profile into a contiguous binary format.
8. The method of claim 6, wherein the step of compiling the
security profile into the binary format comprises compiling the
security profile into one or more tables.
9. The method as described in claim 8, wherein compiling the
security profile into one or more tables comprises compiling the
security profile into an index table comprising size and location
of other tables, a filter table comprising packet inspection rules,
and an address table comprising one or more network addresses of
the computer network.
10. The method as described in claim 9, wherein compiling the
security profile into one or more tables further comprises
compiling the security profile into an interface table comprising
addresses of one or more network interfaces of the computer
network.
11. The method as described in claim 1 wherein the step (3) further
comprises inspecting packets while the operating system is being
booted.
12. The method of claim 1, wherein the early stage of the boot
operation comprises the kernel mode services when the network
driver of the operating system becomes available.
13. A method for inspecting a data packet transmitted to or from a
computer system in a computer network during boot operation of an
operating system of the computer system, the method comprising: (1)
compiling a security profile of the computer system into a compiled
security profile, the security profile comprising one or more
packet inspection rules; (2) storing the compiled security profile
to a non-transitory computer readable persistent storage medium
accessible to a network driver of the operating system during an
early stage of the boot operation of the operating system when
kernel mode services are available and before user mode services
are initialized; (3) by the network driver of the operating system,
loading the compiled security profile from the non-transitory
computer readable persistent storage medium into a memory of the
computer system during the early stage of the boot operation of the
operating system; and (4) by the network driver of the operating
system, inspecting the data packet during the early stage of the
boot operation of the operating system by comparing at least a
portion of the data packet with at least a portion of the compiled
security profile.
14. The method of claim 13 wherein the one or more packet
inspection rules comprises rule data which applies to one or more
network interfaces of the computer system.
15. The method of claim 13 wherein the one or more packet
inspection rules comprises rule data which applies to one or more
network addresses of the computer network.
16. The method of claim 13, wherein the step (1) comprises
compiling the security profile into the compiled security profile,
which is a binary format.
17. The method of claim 13, wherein the step of compiling the
security profile into the binary format comprises compiling the
security profile into a contiguous binary format.
18. The method of claim 16, wherein the step of compiling the
security profile into the binary format comprises compiling the
security profile into one or more tables.
19. The method as described in claim 13 wherein the step (4)
comprises inspecting packets while the operating system is being
booted.
20. A system for protecting a computer system in a computer network
during boot operation of an operating system of the computer
system, the system comprising: a processor, and a non-transitory
computer readable storage medium, comprising computer readable
instructions stored thereon for execution by the processor, causing
the processor: (1) to compile a security profile of the computer
system into a compiled security profile for inspecting packets
transmitted to or from the computer system; (1) (2) to store the
compiled security profile to a non-transitory computer readable
persistent storage medium accessible to a network driver of the
operating system during an early stage of the boot operation of the
operating system when kernel mode services are available and before
user mode services are initialized; and (3) by the network driver
of the operating system, to load the compiled security profile from
the persistent storage medium into a memory of the computer system
during the early stage of the boot operation of the operating
system for inspecting packets, transmitted to or from the computer
system by the computer network, according to the compiled security
profile during the early stage of the boot operation of the
operating system.
21. The system according to claim 20 wherein the compiled security
profile comprises one or more packet inspection rules in a binary
format for comparing at least a portion of a packet with at least a
portion of the compiled security profile.
22. The system according to claim 21 wherein the one or more
inspection rules comprises rule data which applies to one or more
network interfaces of the computer system, or one or more network
addresses of the computer network.
23. The system as described in claim 20 wherein the network driver
is a kernel network driver of the operating system.
24. The system of claim 15, wherein the early stage of the boot
operation comprises the kernel mode services when the network
driver of the operating system becomes available.
25. A boot protection apparatus for protecting a computer system in
a computer network during boot operation of an operating system of
the computer system, the boot protection apparatus comprising: a
non-transitory computer readable storage medium, comprising
computer readable instructions stored thereon for execution by a
processor, forming: a network driver of the operating system,
comprising: (i) a boot module for loading a compiled security
profile stored in a persistent storage medium and comprising packet
inspection rules into a memory of the computer system during an
early stage of the boot operation of an operating system of the
computer system when kernel mode services are available and before
user mode services are initialized, and; (ii) a packet module for
inspecting packets transmitted to or from the computer system by
the computer network during the early stage of the boot operation
of the operating system according to the inspection rules.
26. The boot protection apparatus of claim 25 wherein the network
driver comprises an NDIS (Network Driver Interface Specification)
intermediate driver.
27. The boot protection apparatus as described in claim 25 wherein
the packet module is configured to inspect packets transmitted to
or from a kernel driver of the operating system that is undergoing
the boot operation.
28. The boot protection apparatus of claim 25, wherein the early
stage of the boot operation comprises the kernel mode services when
the network driver of the operating system becomes available.
29. A non-transitory computer readable storage medium comprising
computer code instructions stored thereon for execution by a
processor, causing the processor to: (1) compile a security profile
of the computer system into a compiled security profile for
inspecting packets transmitted to or from the computer system; (2)
store the compiled security profile to a computer readable
persistent storage medium accessible to a network driver of an
operating system of the computer system during an early stage of
the boot operation of the operating system when kernel mode
services are available and before user mode services are
initialized; and (3) by the network driver of the operating system,
loading the compiled security profile from the computer readable
persistent storage medium into a memory of the computer system
during the early stage of the boot operation of the operating
system for inspecting packets transmitted to or from the computer
system via the computer network based on the compiled security
profile during the early stage of the boot operation of the
operating system.
Description
FIELD OF THE INVENTION
The present invention relates to computer security systems, and in
particular, to an improved method and system for protecting a
computer system during boot operation.
BACKGROUND OF THE INVENTION
The Internet has become a place over which unwanted, potentially
harmful, and otherwise unsolicited data traffic is transmitted.
Since complex computer systems and networks may not always be
configured securely, and the installed software on computer systems
often contains software defects and other vulnerabilities, they
have become a target for intruders seeking to obtain unauthorized
access or even outright control of a computer system.
This phenomenon has given rise to an industry providing various
tools for "defending" networks, servers and computer workstations
against such traffic, while allowing legitimate traffic to pass
unhindered. A "firewall" is typically software that is installed in
a network node; traffic passing through a firewall is inspected by
first intercepting each packet and applying a set of rules to
determine whether the packet should pass or be stopped. A firewall
may be implemented in a networked computer such as a server or a
workstation, as well as in dedicated nodes such as network access
nodes and routers.
The functionality of a firewall may range from simple address
filtering in which packets with predetermined source addresses or
ranges of addresses are discarded, to more complex processes, which
include: discriminating traffic on the basis of the protocol, for
example ICMP (Internet Control Message Protocol), UDP (User
Datagram Protocol), TCP (Transmission Control Protocol), etc;
filtering based on source and destination ports of each packet;
tracking the connection state to determine protocol violations; and
the like. If needed, more sophisticated filtering may be done on
the basis of the message content itself, so called "deep" packet
inspection. Many computer systems which have firewall protection
nonetheless have a window of vulnerability during the system
startup, or during network reconfiguration where packets may be
processed contrary to intended policy, possibly compromising or
damaging the computer system.
This window of vulnerability occurs during boot operation, between
the time at which system network drivers are configured and the
later time at which normal user applications and higher level
system management services controlling the network security policy
may be activated. There is also a window of vulnerability when
network cards are added or reconfigured on the system while the
system has been shut down. In this situation, a computer system may
start up with a new network card that has no firewall protection
until an administrator updates the network security policy.
One existing solution to this problem is to apply a provisional
policy enabling only limited network access during boot operation.
However, such a policy may not be sufficient or may be too liberal,
thus causing problems with normal system startup, or still exposing
the computer system to some undesired access or attack during boot
operation.
Accordingly, there is a need for an improved method and system for
protecting a computer system during boot operation.
SUMMARY OF THE INVENTION
There is an object of the present invention to provide a method and
system for protecting a computer system during boot operation,
which would avoid or mitigate the above-mentioned drawbacks of the
prior art.
According to one aspect of the invention, there is provided a
method of protecting a computer system in a computer network during
boot operation of an operating system of the computer system, the
method comprising the steps of: (1) compiling a security profile of
the computer system into a compiled security profile; (2) storing
the compiled security profile to a computer readable storage medium
accessible during boot operation of the operating system of the
computer system to a driver of the computer system; and (3) by the
driver, loading the compiled security profile from the computer
readable storage medium into a memory of the computer system during
the boot operation for the purpose of inspecting packets
transmitted to and from the computer system via the computer
network based on the compiled security profile.
Conveniently, the compiled security profile comprises one or more
packet inspection rules compiled into definition tables and stored
in a contiguous binary format.
The method further comprises the step (4), by the driver,
inspecting packets transmitted to and from the computer system
during the boot operation by using the one or more inspection
rules.
Advantageously, the one or more packet inspection rules comprises
rule data which applies to one or more network interfaces of the
computer system. Alternatively, the one or more packet inspection
rules may comprise rule data which applies to one or more network
addresses of the computer network.
According to another aspect of the invention there is provided a
method of inspecting a data packet transmitted to a computer system
in a computer network during boot operation of an operating system
of the computer system, the method comprising the steps of: (1)
compiling a security profile of the computer system into a compiled
security profile, the security profile comprising one or more
packet inspection rules; (2) storing the compiled security profile
to a computer readable storage medium accessible during boot
operation of the computer system to a driver of the computer
system; (3) by the driver, loading the compiled security profile
from the computer readable storage medium into a memory of the
computer system during the boot operation; and (4) by the driver,
inspecting the data packet by comparing at least a portion of the
data packet with at least a portion of the compiled security
profile.
Beneficially, the one or more packet inspection rules comprises
rule data which applies to one or more network interfaces, or one
or more network addresses of the computer system.
The step (1) of the method comprises compiling the security profile
into the compiled security profile, which is a binary format.
Conveniently, the binary format is a contiguous binary format,
comprising one or more tables.
According to one more aspect of the invention there is provided a
system for protecting a computer system in a computer network
during boot operation of an operating system of the computer
system, the system comprising: (1) a compiler, for compiling a
security profile of the computer system into a compiled security
profile and storing the compiled security profile to a computer
readable storage medium; and (2) a driver of the computer system,
for loading the compiled security profile from the computer
readable storage medium into a memory of the computer system during
boot operation of an operating system of the computer system, and
inspecting packets transmitted to the computer system by the
computer network based on the compiled security profile.
The compiled security profile comprises one or more packet
inspection rules in a binary format. Preferably, the one or more
inspection rules comprises rule data which applies to one or more
network interfaces of the computer system, or one or more network
addresses of the computer network.
According to yet one more aspect of the invention, there is
provided a boot protection apparatus for a computer system in a
computer network, comprising: a driver stored in a computer
readable medium, the driver comprising: a boot module, which loads
a compiled security profile comprising packet inspection rules from
a computer readable storage medium into a memory of the computer
system during boot operation of an operating system of the computer
system, and; a packet module, which inspects packets transmitted to
the computer system by the computer network based on the inspection
rules.
Conveniently, in the boot protection apparatus, the driver
comprises an NDIS intermediate driver.
A computer readable medium is also provided, comprising computer
code instructions stored thereon, which when executed by a
computer, perform the steps of the methods as described above.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 shows a computer system according to an embodiment of the
present invention in a network environment;
FIG. 2 shows an expanded block diagram of the computer system 100,
and functional components of the Boot Protection Apparatus 101 of
FIG. 1;
FIG. 3 shows a flow chart 300 illustrating operation of the Boot
Protection Apparatus 101 of FIG. 2;
FIG. 4 illustrates the Compiled Security Profile 202 of FIG. 2 in
more detail; and
FIG. 5 shows a flow chart 500 illustrating operation of the Agent
Driver 203 of the Boot Protection Apparatus 101 of FIG. 2.
DETAILED DESCRIPTION OF THE EMBODIMENTS OF THE INVENTION
One form of software security architecture for an IPS ("Intrusion
Prevention System") or IDS ("Intrusion Detection System") according
to the embodiments of the present invention includes three main
components, namely "Security Center", "Deep Security Manager
(DSM)", and "Agent", wherein:
"Security Center" is the server where IPS Filters, Detection Rules
and Expressions are defined;
"DSM" is the server portion that runs within an enterprise to
communicate to the Security Center to receive updates, run the
Recommendation Engine, query the Agents, and distribute security
configuration to the Agents; and
"Agent" is the software that performs the IPS/IDS operations on the
computer system.
As is known in the art, the boot operation of a computer system
primarily involves copying the operating system components from a
storage device into main memory, so that it can be executed by one
or more CPUs (Central Processing Units). The period of boot
operation is typically considered complete when the computer system
attains a state such that it is capable of running ordinary
software application programs. In general, the period of time
required for booting may vary considerably depending on the
operating system and the hardware in use.
Using a process known as virtualization, a computer system may also
be capable of running multiple operating systems simultaneously. In
a virtualized computer system, multiple virtual machines typically
share hardware resources without interfering with each other so
that several operating systems and applications may execute at the
same time on a single computer. In this environment, the boot
operation may refer to the initial startup of the entire computer
system, or to the loading of one or more of the concurrently
executing operating systems.
The method for protecting a computer system during boot operation
according to the embodiment of the invention involves encoding a
security profile for the computer system into a compiled security
profile having a data structure, which is suitable for direct use
by the Agent software. Portions of the Agent operate as low level
network driver software, which in the Microsoft family of operating
systems as one example is referred to as NDIS (Network Driver
Interface Specification). Security profiles contain rules and rule
data which are used by the Agent to identify various types of
network traffic and determine if it should be filtered. The
security profile is provided in a high level form, which in the
embodiment of the invention is written in an XML based
language.
In the preferred embodiment, the security profile is customized for
each computer system based on the primary role of the computer
system. For example, one set of filtering rules may be appropriate
for a Web Server, while a different set of rules may be applied to
a Database Server, since the type of expected network traffic for
each computer system under normal operating conditions is
different. This high level security profile is then compiled into a
compiled security profile comprising a number of definition tables,
to be also referred to herein as tables. The compiled security
profile is written to a file or other persistent storage medium,
which is convenient to access during boot operation. The compiled
security profile is preferably stored in a binary format in a
secure location to prevent tampering or unauthorized viewing.
In the preferred embodiment, the compiled format of the security
profile comprises a plurality of definition tables which are
designed to be easily transferred as a contiguous memory block. The
compiled security profile uses an Index header to locate the other
definition tables within the data structure of the compiled
security profile. Preferably, cross references between the tables
are achieved using a column referencing a row index of another
table. Conveniently, because of this type of cross reference
between the tables, the memory block containing the compiled
security profile can be loaded and used with minimal processing by
the Agent.
Note that certain columns in the compiled security profile can
contain "wildcard" rows, which allow rule data to apply to groups
of network interfaces or addresses. This assists in preventing a
computer system that is otherwise secure from being vulnerable
during the period of time that a computer system boot operation
commences with a newly installed network interface.
During boot operation, the driver component of the Agent, herein
referred to as the Agent Driver, is loaded into memory and
activated by an operating system on the computer system. In the
preferred embodiment, the Agent Driver is implemented as a miniport
intermediate driver in the Windows NDIS architecture that relays
data packets between the lower layer hardware drivers and the upper
layer protocol stack. During boot operation, the Agent Driver loads
the compiled security profile into computer memory as soon as
possible, which allows the Agent Driver to perform packet
inspection and filtering functions according to the rules defined
in the compiled security profile.
With reference to the diagrams, FIG. 1 shows the computer system
100 according to an embodiment of the present invention in the
network environment. The Computer System 100 may be connected to
one or more computer networks, of which only two networks, Network
A (102) and Network B (104) are shown. The networks 102, 104, in
turn, may be connected to other computer systems, of which only two
computer systems, Computer System B (106) and Computer System C
(108), are shown in FIG. 1. The Computer System 100 comprises Boot
Protection Apparatus 101, which performs the packet inspection and
filtering functions during boot operation of the computer system
100.
FIG. 2 shows an expanded block diagram of the computer system 100,
and functional components of the Boot Protection Apparatus 101 of
FIG. 1.
The computer system 100 including Boot Protection Apparatus 101
operates in the following manner. Security Profile Compiler 201
uses the Security Profile 200 to produce the Compiled Security
Profile 202. Further details of the Compiled Security Profile 202
are given in FIG. 4. During boot operation, Boot Module 204 of
Agent Driver 203 reads Compiled Security Profile 202 into computer
memory. Packet Module 205 then performs packet inspection and
filtering functions on packets transmitted and received by the
computer system.
In general, received packets from one or more network interfaces
shown as 208 and 209 are initially processed by the Kernel Network
Driver 207. Packets are then processed by the Packet Module 205 of
the Agent Driver 203 according to the Compiled Security Profile
202. The Packet Module 205 may discard the packet if the contents
of the packet match a rule in the Compiled Security Profile 202.
Otherwise, the packet is passed in this case to the Kernel Network
Stack 206 where it is processed by the operating system of the
computer system in an ordinary way. Packets, which are intended for
transmission from the computer system, originate from the Kernel
Network Stack 206 and are also processed by the Packet Module 205
of the Agent Driver 203 according to the data in the Compiled
Security Profile 202. Again, the Packet Module 205 may discard a
packet if the contents of the packet match a rule in the Compiled
Security Profile 202. Otherwise, the packet is passed to the
appropriate network interface where it is processed and transmitted
in an ordinary way.
Further details of the packet inspection and filtering functions
are given in FIG. 5.
FIG. 3 is a flow chart 300 illustrating operation of the Boot
Protection Apparatus 101 of FIG. 2. Upon Start (step 301), in step
303, the security profile 200 in the high level form is obtained
from persistent storage. The security profile 200 is preferably in
the XML format, and is generated by an application outside the
scope of this invention. For example, a portion of the security
profile 200 may contain XML similar to the following:
TABLE-US-00001 <NetworkPolicy> <SystemSetting
blockIpV6="1" FragmentTimeout="100"/> <InterfaceConfig
interface="*" denyFragmentedPackets="true"/> <InterfaceConfig
interface="00:40:30:10:fe:02" denyFragmentedPackets="false"/>
<PacketFilter protocol="tcp" direction="incoming"
action="deny"> <SourceInfo/> <DestInfo
addr="10.0.1.96"/> </PacketFilter> <PacketFilter
protocol="udp" direction="outgoing" action="deny">
<SourceInfo addr="10.0.1.96"/> <DestInfo
addr="10.0.0.28"/> </PacketFilter>
</NetworkPolicy>
In step 305, the security profile 200 is compiled by the security
profile compiler 201 into the compiled security profile 202, which
is preferably a compact binary format that can be processed later
by the Agent Driver 203 with minimal processing. In step 307, the
compiled security profile 202 is stored to persistent storage, to a
location which is accessible to the Agent driver 203 during boot
operation, following by termination of the flowchart 300 (step
309).
FIG. 4 illustrates the Compiled Security Profile 202 of FIG. 2 in
more detail.
The Compiled Security Profile 202 includes a number of tables,
namely Index Table 401, System Table 402, Interface Table 403,
Filter Table 404, and Address Table 405, which are preferably laid
out contiguously.
The Index Table 401
Index Table 401 is the first table in the Compiled Security Profile
202. The Index Table 401 is used to quickly determine the size and
location of the other tables once the compiled security profile is
loaded into memory of the computer system 100, and comprises the
following rows:
TABLE-US-00002 Column Meaning 0 number of rows in System table 1
number of rows in Interface table 2 number of rows in Filter table
3 number of rows in Address table
For example, the address of System Table 402 may be quickly
computed as the base memory address of the compiled security
profile plus the size of the Index table.
Similarly, the address of Interface Table 403 may be computed as
the address of the System Table 402, plus the number of rows of the
System Table 402 (given by Index table column 0) multiplied by the
length of a row in the System Table 402. The length of a row within
a table is fixed for all rows in the table.
The addresses of the Filter Table 404 and Address Table 405 are
computed similarly to those above. It is contemplated that any
number of additional tables may be included in the Security Profile
202 to support further packet filtering functionality.
The System Table 402
System Table 402 includes multiple rows, with each row comprising
two columns, each typically one word in size. For example,
TABLE-US-00003 Column Meaning 0 The setting identifier (integer id)
1 The setting value (integer word)
The setting identifier enumerates one of a list of possible
predefined settings. The behavior of the settings is defined by the
setting value (V).
TABLE-US-00004 Enumeration Name Meaning 0 Allow IPV6 Allow packets
with version == 6, if V = 1 1 Fragment Discard incomplete Timeout
fragments after V milliseconds . . . . . . Additional settings . .
.
These values are shown to illustrate the way that the tables may be
encoded in a compact fashion. If required, additional values can be
defined to control packet filtering.
The Interface Table 403
Interface Table 403 comprises one or more rows, with each row
containing multiple columns which govern packet processing behavior
in a similar way to the System Table 402, but on a per interface
basis. One or more network interfaces 208, 209 of the computer
system 100 are each given an integer identifier (1, 2, 3 . . . )
corresponding to an entry in the Interface Table 403. In general,
network interfaces 208, 209 each have an associated MAC address,
which is a persistent hardware identifier. Conveniently, the
Interface Table 403 includes the MAC address to ensure that the
same identifier is persistently assigned to the same physical
interface.
The packet processing for a packet received or transmitted on the
network interface 1 (208) is influenced by changing the setting in
the row with column ID having value 1. If there is no row
corresponding to the network interface 1 (208), on which a packet
is received or transmitted, then the 0.sup.th row of this table is
used to govern the packet processing. This is especially useful,
for example, when network interfaces are added or replaced on the
computer system 100, and then it is rebooted.
TABLE-US-00005 Column Meaning Size/Type 0 Ethernet Mac 8 bytes
Address 1 Deny Fragmented Integer word (0 = Packet off) . . .
Additional values
As required, additional values could be defined in the Interface
Table 403 to control packet filtering.
The Filter Table 404
Filter Table 404 includes one or more rows, with each row
comprising a rule. The packet module 205 iterates over each of
these rows in turn to decide if a packet should be accepted or
discarded. If the packet matches one of the rows in the Filter
Table 404, then the packet is discarded. If, after processing all
rows in the Filter Table 404, the packet does not match, then it is
accepted. For example,
TABLE-US-00006 Column Name Meaning Size/Type 0 Protocol Matches the
packet protocol word field 1 Direction 0 matches an incoming packet
word 1 matches an outgoing packet 2 Source 0 matches any packet
source word address Non-zero is an index into the address table 3
Destination 0 matches any packet word destination address Non-zero
is an index into the address table
Recalling the Packet module 205 from FIG. 2 and to illustrate how
the Filter Table 404 is used in packet processing, a row which
contained the protocol value "6" and direction "0" with the source
and destination column entries both "0" would match any incoming
packet, which had protocol value 6, causing all such packets to be
discarded.
The Address Table 405
Address Table 405 comprises one or more rows, with each row
containing an address. In the preferred embodiment the address is
represented as a 32 bit integer.
TABLE-US-00007 Column Name Meaning Size/Type 0 IP address An IP
address Double word
A row is created for each unique, non-zero source or destination
address entry in the Filter Table 404.
Thus, collectively, the definition tables 401-405 provide a binary
format of the Compiled Security Profile 202, including packet
inspection rules.
FIG. 5 shows a flow chart 500 illustrating operation of the Agent
Driver 203 of the Boot Protection Apparatus 101 of FIG. 2. Upon
Start (step 500a), steps 501 and 502 are performed by the Boot
Module 204 of the Agent Driver 203. After the Compiled Security
Profile 202 is loaded in computer memory in step 502, the Packet
Module 205 is ready for inspecting packets in subsequent steps.
In step 503, a packet is received by the Agent Driver 203 as
originally described with regard to FIG. 2. The decision made in
step 504 determines if the packet was received from the Kernel
Network Driver 207 or the Kernel Network Stack 206. This
establishes the direction of the packet (incoming or outgoing)
which is used to select the appropriate rules. If the packet is
incoming from a network (exit "YES" from step 504), step 505 is
executed to inspect the packet according to the compiled security
profile, and step 506 determines if the packet should be discarded.
If the packet is discarded (exit "YES" from step 506), the
flow-chart 500 returns back to step 503 to process the next packet.
If the packet is not to be discarded (exit "NO" from step 506), the
packet is passed on to the Kernel Network Stack 206 for processing
before the process returns to step 503 for the next packet (step
507). For a packet traveling in the other direction (in other
words, the packet destined for the network), which corresponds to
exit "NO" from step 504, the packet is inspected in step 508
according to the compiled security profile, and the filtering
decision is determined in step 509. If the packet is discarded
(exit "YES" from step 509), the flowchart 500 returns back to step
503 to process the next packet. If the packet is not to be
discarded (exit "NO" from step 509), it is passed on to the Kernel
Network Driver 207 for processing before the process returns to
step 503 for the next packet (step 510). The flow of network
traffic both to and from the computer system 100 continues to be
monitored in this fashion.
Although the various methods described above are conveniently
carried out on a general purpose computer, one of ordinary skill in
the art would recognize that such methods may be carried out in
hardware, in firmware, or in a more specialized apparatus
constructed to perform the required steps. The type of computer
network used may be a version of Internet Protocol (IP) network, or
any other appropriate packet network. The format of the compiled
security profile 202 can also easily be extended to accommodate
additional table structures and other data as needed to protect the
computer system 100 during boot operation. Further, the table
structures may be organized in any appropriate format, and the
sizes of individual column entries may be expanded or reduced as
needed to accommodate other networks, addressing structures, or
other data stored in the compiled security profile.
Thus, an improved method and system for protecting a computer
system during boot operation has been provided.
The present invention provides the following advantages. It
addresses the problem of vulnerability during computer system boot
operation where network packets may be processed contrary to
intended policy, possibly compromising or damaging the computer
system. Computer systems, to be protected by the system and method
of the embodiments of the invention, may have single or multiple
network interfaces. In addition, the computer system may be powered
on or booted with a new network interface and still receive the
benefit of IDS/IPS protection, without the need to wait until an
administrator can apply a security profile to the interface.
Although the embodiments of the invention have been described in
detail, it will be apparent to one skilled in the art that
variations and modifications to the embodiments may be made within
the scope of the following claims.
* * * * *